PERFORCE change 218793 for review

[Robert Watson]

http://p4web.freebsd.org/@@218793?ac=10

Change 218793 by rwatson at rwatson_svr_ctsrd_mipsbuild on 2012/10/20 10:00:09

	First of several changes to update the CheriBSD headers for CHERI
	ISAv2; in this pass, header files are (generally) updated based on
	definition changes, excluding instruction changes:
	
	- Revision (I think) to split a first 64-bit field into two 32-bit
	  fields for the permissions and reserved bits, so swap in code.
	  Not 100% sure this is right, endianness is confusing.
	
	- C26 has been returned to the pool of general-purpose registers, so
	  include it in saved frame state for user threads.  On the other
	  hand, we're no longer saving TSC, so remove saving of C28.
	
	- Expand comments on C25 use, and how we plan to return it to the
	  register pool once life is better.
	
	- A few other useful comments on cp2_frame.
	
	- Remove old permission definitions; define new ones.
	
	- Comment that we now likely no longer require the unpriv
	  capability, since we can clear capability registers, but leave it
	  for now, until the code is updated.
	
	- Update definitions further for the reserved register juggle.
	
	- There is a possible bug in the CHERI ISAv2 spec, so don't quite
	  use the exception codes listed (KDC is probably not the same
	  exception code as EPCC).

Affected files ...

.. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#6 edit
.. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheriasm.h#6 edit
.. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cherireg.h#5 edit

Differences ...

==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#6 (text+ko) ====

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2011 Robert N. M. Watson
+ * Copyright (c) 2011-2012 Robert N. M. Watson
  * All rights reserved.
  *
  * This software was developed by SRI International and the University of
@@ -42,8 +42,8 @@
  */
 #define	CAPABILITY_SIZE	32
 struct chericap {
+	uint32_t	c_reserved;
 	uint32_t	c_uperms;
-	uint32_t	c_reserved;
 	union {
 		uint64_t	c_otype;
 		uint64_t	c_eaddr;
@@ -68,25 +68,30 @@
 	struct chericap	cf_c0;
 
 	/*
-	 * General-purpose capabilities -- note, numbering is from v1.3 of
-	 * the CHERI ISA spec.  v1.4 is expected to renumber the specific
-	 * purpose capabilities to be at the bottom, rather than the top, of
-	 * the capability register space (per Ross Anderson's suggestion).
+	 * General-purpose capabilities -- note, numbering is from v1.7 of the
+	 * CHERI ISA spec (ISAv2).
+	 *
+	 * XXXRW: Currently, C25 is used in-kernel to maintain a saved UDC
+	 * (C0), and so not part of cp2_frame.  This will change in the
+	 * future.
 	 */
 	struct chericap	cf_c1, cf_c2, cf_c3, cf_c4;
 	struct chericap	cf_c5, cf_c6, cf_c7;
 	struct chericap	cf_c8, cf_c9, cf_c10, cf_c11, cf_c12;
 	struct chericap	cf_c13, cf_c14, cf_c15, cf_c16, cf_c17;
 	struct chericap	cf_c18, cf_c19, cf_c20, cf_c21, cf_c22;
-	struct chericap	cf_c23, cf_c24;
+	struct chericap	cf_c23, cf_c24, cf_c26;
 
 	/*
 	 * Special-purpose capability registers that must be preserved on a
-	 * user context switch.  Note that KT0, KT1, KCC, and KDC are omitted.
+	 * user context switch.  Note that KRC0, KRC1, KCC, and KDC are
+	 * omitted.
 	 */
-	struct chericap	cf_tsc;
+	/* XXXRW: Gone in v1.7: struct chericap	cf_tsc; */
 
-	/* Program counter capability. */
+	/*
+	 * Program counter capability -- extracted from exception frame EPCC.
+	 */
 	struct chericap	cf_pcc;
 };
 CTASSERT(sizeof(struct cp2_frame) == (27 * CAPABILITY_SIZE));

==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheriasm.h#6 (text+ko) ====

@@ -49,7 +49,7 @@
 	andi	reg, reg, SR_KSU_USER;					\
 	beq	reg, $0, 64f;						\
 	nop;								\
-	cmove	$c25, $c0;						\
+	cmove	$c27, $c0;						\
 	cmove	$c0, $c30;						\
 64:
 
@@ -103,6 +103,8 @@
  * XXXRW: It woudld be nice to make calls to these conditional on actual CP2
  * coprocessor use, similar to on-demand context management for other MIPS
  * coprocessors (e.g., FP).
+ *
+ * XXXRW: Note hard-coding of UDC here.
  */
 #define	SAVE_CP2_CONTEXT(treg, base)					\
 	SAVE_U_PCB_CP2REG(treg, $c25, CHERI_CR_C0_OFF, base);		\
@@ -130,7 +132,7 @@
 	SAVE_U_PCB_CP2REG(treg, $c22, CHERI_CR_C22_OFF, base);		\
 	SAVE_U_PCB_CP2REG(treg, $c23, CHERI_CR_C23_OFF, base);		\
 	SAVE_U_PCB_CP2REG(treg, $c24, CHERI_CR_C24_OFF, base);		\
-	SAVE_U_PCB_CP2REG(treg, $c28, CHERI_CR_TSC_OFF, base);		\
+	SAVE_U_PCB_CP2REG(treg, $c26, CHERI_CR_C26_OFF, base);		\
 	SAVE_U_PCB_CP2REG(treg, $c31, CHERI_CR_PCC_OFF, base)
 
 #define	RESTORE_CP2_CONTEXT(treg, base)					\
@@ -159,7 +161,7 @@
 	RESTORE_U_PCB_CP2REG(treg, $c22, CHERI_CR_C22_OFF, base);	\
 	RESTORE_U_PCB_CP2REG(treg, $c23, CHERI_CR_C23_OFF, base);	\
 	RESTORE_U_PCB_CP2REG(treg, $c24, CHERI_CR_C24_OFF, base);	\
-	RESTORE_U_PCB_CP2REG(treg, $c28, CHERI_CR_TSC_OFF, base);	\
+	RESTORE_U_PCB_CP2REG(treg, $c26, CHERI_CR_C26_OFF, base);	\
 	RESTORE_U_PCB_CP2REG(treg, $c31, CHERI_CR_PCC_OFF, base)
 
 #endif /* _MIPS_INCLUDE_CHERIASM_H_ */

==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cherireg.h#5 (text+ko) ====

@@ -39,43 +39,39 @@
  * but perhaps it should be.
  */
 #define	CHERI_PERM_NON_EPHEMERAL		0x0001
-#define	CHERI_PERM_ACCESS_CR31			0x0002
-#define	CHERI_PERM_ACCESS_CR30			0x0004
-#define	CHERI_PERM_ACCESS_CR29			0x0008
-#define	CHERI_PERM_ACCESS_CR28			0x0010
-#define	CHERI_PERM_RESERVED1			0x0020
-#define	CHERI_PERM_RESERVED2			0x0040
-#define	CHERI_PERM_RESERVED3			0x0080
-#define	CHERI_PERM_SEAL				0x0100
-#define	CHERI_PERM_STORE_EPHEMERAL_CAPABILITY	0x0200
-#define	CHERI_PERM_LOAD				0x0400
-#define	CHERI_PERM_STORE			0x0800
-#define	CHERI_PERM_LOAD_CAP			0x1000
-#define	CHERI_PERM_STORE_CAP			0x2000
-#define	CHEIR_PERM_EXECUTE			0x4000
+#define	CHEIR_PERM_EXECUTE			0x0002
+#define	CHERI_PERM_LOAD				0x0004
+#define	CHERI_PERM_STORE			0x0008
+#define	CHERI_PERM_LOAD_CAP			0x0010
+#define	CHERI_PERM_STORE_CAP			0x0020
+#define	CHERI_PERM_STORE_EPHEM_CAP		0x0040
+#define	CHERI_PERM_SEAL				0x0080
+#define	CHERI_PERM_SETTYPE			0x0100
+#define	CHERI_PERM_RESERVED1			0x0200
+#define	CHERI_PERM_ACCESS_EPCC			0x0400
+#define	CHERI_PERM_ACCESS_KDC			0x0800
+#define	CHERI_PERM_ACCESS_KCC			0x1000
+#define	CHERI_PERM_ACCESS_KR1C			0x2000
+#define	CHERI_PERM_ACCESS_KR2C			0x4000
 
-/*
- * XXXRW: Should this include CHERI_UNSEALED?
- */
 #define	CHERI_PERM_PRIV							\
-	(CHERI_PERM_NON_EPHEMERAL | CHERI_PERM_ACCESS_CR31 |		\
-	CHERI_PERM_ACCESS_CR30 | CHERI_PERM_ACCESS_CR29 |		\
-	CHERI_PERM_ACCESS_CR28 | CHERI_PERM_SEAL |			\
-	CHERI_PERM_STORE_EPHEMERAL_CAPABILITY | CHERI_PERM_LOAD |	\
-	CHERI_PERM_STORE | CHERI_PERM_LOAD_CAP | CHERI_PERM_STORE_CAP |	\
-	CHEIR_PERM_EXECUTE)
+	(CHERI_PERM_NON_EPHEMERAL | CHERI_PERM_EXECUTE |		\
+	CHERI_PERM_LOAD | CHERI_PERM_STORE | CHERI_PERM_LOAD_CAP |	\
+	CHERI_PERM_STORE_CAP | CHERI_PERM_STORE_EPHEM_CAP |		\
+	CHERI_PERM_SEAL | CHERI_PERM_SETTYPE | CHERI_PERM_RESERVED1 |	\
+	CHERI_PERM_ACCESS_EPCC | CHERI_PERM_ACCESS_KDC |		\
+	CHERI_PERM_ACCESS_KCC | CHERI_PERM_ACCESS_KR1C |		\
+	CHERI_PERM_ACCESS_KR2C)
 
 #define	CHERI_PERM_USER							\
-	(CHERI_PERM_NON_EPHEMERAL | CHERI_PERM_SEAL |			\
-	CHERI_PERM_STORE_EPHEMERAL_CAPABILITY | CHERI_PERM_LOAD |	\
-	CHERI_PERM_STORE | CHERI_PERM_LOAD_CAP | CHERI_PERM_STORE_CAP |	\
-	CHEIR_PERM_EXECUTE)
+	(CHERI_PERM_NON_EPHEMERAL | CHERI_PERM_EXECUTE |		\
+	CHERI_PERM_LOAD | CHERI_PERM_STORE | CHERI_PERM_LOAD_CAP |	\
+	CHERI_PERM_STORE_CAP | CHERI_PERM_STORE_EPHEM_CAP |		\
+	CHERI_PERM_SEAL | CHERI_PERM_SETTYPE)
 
 /*
  * Definition for kernel "privileged" capability able to name the entire
  * address space.
- *
- * XXXRW: Perhaps CHERI_UCAP_UNPRIV_LENGTH should actually just cover useg.
  */
 #define	CHERI_CAP_PRIV_UPERMS		CHERI_PERM_PRIV
 #define	CHERI_CAP_PRIV_OTYPE		0x0
@@ -94,6 +90,9 @@
 /*
  * Definition for capability unable to name any resources.  This is suitable
  * for filling capability registers that should hold no privilege.
+ *
+ * XXXRW: Probably no longer required in CHERI ISAv2 as we can clear
+ * registers.
  */
 #define	CHERI_CAP_NOPRIV_UPERMS		0x0
 #define	CHERI_CAP_NOPRIV_OTYPE		0x0
@@ -129,19 +128,32 @@
 #define	CHERI_CR_C22	22
 #define	CHERI_CR_C23	23
 #define	CHERI_CR_C24	24
-#define	CHERI_CR_UDC	25	/*   UDC: user data capability (saved C0). */
-#define	CHERI_CR_KT0	26	/*   KT0: temporary kernel capability. */
-#define	CHERI_CR_KT1	27	/*   KT1: temporary kernel capability. */
-#define	CHERI_CR_TSC	28	/*   TSC: trusted stack capability. */
-#define	CHERI_CR_KCC	29	/*   KCC: kernel code capability. */
-#define	CHERI_CR_KDC	30	/*   KDC: kernel data capability. */
-#define	CHERI_CR_EPCC	31	/*   EPCC: exception program counter cap. */
+#define	CHERI_CR_C25	25
+#define	CHERI_CR_C26	26
+#define	CHERI_CR_C27	27
+#define	CHERI_CR_C28	28
+#define	CHERI_CR_C29	29
+#define	CHERI_CR_C30	30
+#define	CHERI_CR_C31	31
 
-#define	CHERI_CR_CT0	CHERI_CR_C10	/*   CT0: temporary capability. */
+/*
+ * XXXRW: Note that UDC is used by the kernel to hold the saved user data
+ * capability during kernel execution.  In the future, this will change --
+ * instead we will swap with KR2C, and save it to a frame to be used as needed
+ * later.  In the mean time, userspace agrees not to use C25.
+ */
+#define	CHERI_CR_RCC	CHERI_CR_C24	/* Return code capability. */
+#define	CHERI_CR_UDC	CHERI_CR_C25	/* User data capability. */
+#define	CHERI_CR_IDC	CHERI_CR_C26	/* Invoked data capability.*/
+#define	CHERI_CR_KR1C	CHERI_CR_C27	/* Kernel reserved capability 1. */
+#define	CHERI_CR_KR2C	CHERI_CR_C28	/* Kernel reserved capability 2. */
+#define	CHERI_CR_KCC	CHERI_CR_C29	/* Kernel code capability. */
+#define	CHERI_CR_KDC	CHERI_CR_C30	/* Kernel data capability. */
+#define	CHERI_CR_EPCC	CHERI_CR_C31	/* Exception program counter cap. */
 
 /*
  * Offsets of registers in struct cp2_frame -- must match the definition in
- * cp2.h.  Observe the discontinuity after $udc.
+ * cheri.h.
  */
 #define	CHERI_CR_C0_OFF		0
 #define	CHERI_CR_C1_OFF		1
@@ -168,7 +180,41 @@
 #define	CHERI_CR_C22_OFF	22
 #define	CHERI_CR_C23_OFF	23
 #define	CHERI_CR_C24_OFF	24
-#define	CHERI_CR_TSC_OFF	25
+#define	CHERI_CR_C26_OFF	25
 #define	CHERI_CR_PCC_OFF	26
 
+/*
+ * List of CHERI capability cause code constants, which are used to
+ * disambiguate various CP2 exceptions.
+ *
+ * XXXRW: I wonder if we really need different permissions for each exception-
+ * handling capability.
+ *
+ * XXXRW: Curiously non-contiguous.
+ *
+ * XXXRW: KDC is listed as 0x1a in the spec, which collides with EPCC.  Not
+ * sure what is actually used.
+ */
+#define	CHERI_EXCCODE_NONE		0x00
+#define	CHERI_EXCCODE_LENGTH		0x01
+#define	CHERI_EXCCODE_TAG		0x02
+#define	CHERI_EXCCODE_SEAL		0x03
+#define	CHERI_EXCCODE_TYPE		0x04
+#define	CHERI_EXCCODE_CALL		0x05
+#define	CHERI_EXCCODE_RETURN		0x06
+#define	CHERI_EXCCODE_NON_EPHEM		0x10
+#define	CHERI_EXCCODE_PERM_EXEXCUTE	0x11
+#define	CHERI_EXCCODE_PERM_LOAD		0x12
+#define	CHERI_EXCCODE_PERM_STORE	0x13
+#define	CHERI_EXCCODE_PERM_LOADCAP	0x14
+#define	CHERI_EXCCODE_PERM_STORECAP	0x15
+#define	CHERI_EXCCODE_STORE_EPHEM	0x16
+#define	CHERI_EXCCODE_PERM_SEAL		0x17
+#define	CHERI_EXCCODE_PERM_SETTYPE	0x18
+#define	CHERI_EXCCODE_ACCESS_EPCC	0x1a
+#define	CHERI_EXCCODE_ACCESS_KDC	0x1b	/* XXXRW */
+#define	CHERI_EXCCODE_ACCESS_KCC	0x1c
+#define	CHERI_EXCCODE_ACCESS_KR1C	0x1d
+#define	CHERI_EXCCODE_ACCESS_KR2C	0x1e
+
 #endif /* _MIPS_INCLUDE_CHERIREG_H_ */